Security
How we keep your sites safe.
Last updated 2026-07-14. Concrete controls, real boundaries, one channel for disclosure.
Data we hold
- Account email + bcrypt password hash — stored in Supabase Auth. We never see or store the plaintext password.
- Project source files — stored in Cloudflare R2, scoped per customer via the API key. Encrypted at rest by R2 (AES-256).
- Deploy logs + status — stored in Cloudflare KV, key-prefixed by your customer ID. Logs are scoped per-customer; one customer can't read another's logs through any API path.
- API keys you create — hashed at rest using SHA-256. The plaintext is shown once at creation and never retrievable again.
Transport + headers
- TLS 1.3 only on krexel.com, api.krexel.com, and all worker endpoints. HSTS preload + 2-year max-age.
- CSP locked to first-party + the small set of integrations we actually use (Cloudflare Pages, Vercel Analytics, Vercel Speed Insights). No
unsafe-eval. Inline scripts only allowed for Next.js hydration JSON. - X-Frame-Options: DENY +
frame-ancestors 'none'on every route — no clickjacking surface. - Referrer-Policy: strict-origin-when-cross-origin — we don't leak target paths to third parties.
- Permissions-Policy denies camera, microphone, geolocation, and FLoC cohort tracking on every route.
Auth + API access
- Password storage — bcrypt handled entirely by Supabase (cost factor 12+). We can't reset it for you; we issue a reset link instead, which never crosses our app servers in plaintext.
- Session cookies — HttpOnly + Secure + SameSite=Lax + 8-hour idle expiry. No JWT in localStorage.
- API keys — scoped per-customer; passing one key to two customers' deploys returns 403. The
X-Krexel-Keyheader is the only way to authenticate against the worker. - Rate limits —
POST /signupis rate-limited at the edge./api/v1/keysand/api/v1/teamshare a per-customer limit. Once a customer reaches their tier, excess calls return 429 instead of being silently dropped.
What we don't do
- We don't run background analytics on your dashboard. Vercel Web Analytics is GDPR-clean (no cookies, no fingerprinting) and is the only third-party script on marketing pages.
- We don't sell, share, or rent your data with third parties for any purpose.
- We don't store your card details. Payments are tokenised by Stripe; we only ever see the last 4.
- We don't allow cross-customer reads at any layer. The worker checks customer identity on every KV read.
Report a vulnerability
If you've found a security issue in krexel.com, api.krexel.com, or any of our open source repos, please email security@krexel.com. PGP key on the page. We respond within 48 hours; critical CVEs get a coordinated disclosure window. We pay bounties for confirmed high/critical findings — current range £50–£2,000 depending on impact.
Please don't file security issues as GitHub issues or on public Discord channels before we've coordinated. Responsible disclosure keeps users safe.
Sub-processors
The third parties we rely on:
- Supabase (Postgres + Auth) — EU/US region; data processing addendum on file with Supabase Inc.
- Cloudflare (Workers, R2, KV) — global edge; GDPR-compliant. Storage in the EU where possible.
- Vercel (hosting + analytics) — US; their own DPA applies.
- Stripe (payments) — US; PCI-DSS Level 1 certified.
See our DPA for the data flow diagram and where each sub-processor sits.